US10375044B2ActiveUtilityA1

Apparatus and method for establishing secure communication channels in an internet of things (IoT) system

70
Assignee: AFERO INCPriority: Jul 3, 2015Filed: Aug 7, 2017Granted: Aug 6, 2019
Est. expiryJul 3, 2035(~9 yrs left)· nominal 20-yr term from priority
H04L 63/0492H04L 9/0841H04L 9/0877H04L 9/0861H04L 63/0442H04L 9/0825H04L 63/061
70
PatentIndex Score
1
Cited by
247
References
10
Claims

Abstract

An apparatus and method are described for secure communication between IoT devices and an IoT service. For example, one embodiment of a system comprises: an Internet of Things (IoT) service to establish communication with an IoT device through an IoT hub or a mobile user device; a first encryption engine on the IoT service comprising key generation logic to generate a service public key and a service private key; a second encryption engine on the IoT device comprising key generation logic to generate a device public key and a device private key; the first encryption engine to transmit the service public key to the second encryption engine and the second encryption engine to transmit the device public key to the first encryption engine; the first encryption engine to use the device public key and the service private key to generate a secret; the second encryption engine to use the service public key and the device private key to generate the same secret; and wherein once the secret is generated, the first encryption engine and the second encryption engine encrypt and decrypt data packets transmitted between the first encryption engine and the second encryption engine using the secret or using a data structure derived from the secret.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented method comprising:
 establishing communication between an Internet of Things (IoT) service and an IoT device through an IoT hub; 
 generating, by the IoT service, a first packet comprising an IoT service serial number and an IoT service public key, and signing the first packet using a factory private key of a factory public/private key pair implemented by a manufacturer of the IoT service and/or the IoT device; 
 transmitting the signed first packet from the IoT service to the IoT device; 
 verifying, by the IoT device, the signed first packet using a factory public key of the factory public/private key pair; 
 generating, by the IoT device, a second packet comprising an IoT device serial number and an IoT device public key, and signing the second packet using the factory private key; 
 transmitting the signed second packet from the IoT device to the IoT service; and 
 verifying, by the IoT service, the signed second packet using the factory public key. 
 
     
     
       2. The computer-implemented method of  claim 1 , further comprising:
 generating, by the IoT service, a third packet comprising an IoT service session public key of a IoT service session public/private key pair generated by a key generation logic of the IoT service, and signing the third packet using an IoT service private key; 
 transmitting the signed third packet from the IoT service to the IoT device; 
 verifying, by the IoT device, the signed third packet using the IoT service public key from the first signed packet; 
 generating, by the IoT device, a fourth packet comprising an IoT device session public key of an IoT device session public/private key pair generated by a key generation logic of the IoT device, and signing the fourth packet using an IoT device private key; 
 transmitting the signed fourth packet from the IoT device to the IoT service; and 
 verifying, by the IoT service, the signed fourth packet using the IoT device public key from the second signed packet. 
 
     
     
       3. The computer-implemented method of  claim 2 , further comprising:
 generating, by the IoT service, a first session secret using the IoT service session private key and the IoT device session public key from the signed third packet; 
 generating, by the IoT device, a second session secret using the IoT device session private key and the IoT service session public key from the signed fourth packet, the first session secret and the second session secret having a same value; 
 encrypting, by the IoT service, a first random number using the first session secret to generate a first encrypted packet; 
 transmitting the first encrypted packet from the IoT service to the IoT device; and 
 decrypting, by the IoT device, the first encrypted packet using the second session secret to retrieve the first random number. 
 
     
     
       4. The computer-implemented method of  claim 3 , further comprising:
 encrypting, by the IoT device, the retrieved first random number using the second session secret to generate a second encrypted packet; 
 transmitting the second encrypted packet from the IoT device to the IoT service; 
 decrypting, by the IoT service, the second encrypted packet using the first session secret to retrieve a second random number; 
 verifying, by the IoT service, that the second random number retrieved from the second encrypted packet is the same as the first random number; and 
 wherein upon a positive verification, the IoT service is to send a successful pairing notification to the IoT device, and wherein all subsequent message between the IoT service and IoT device are encrypted using either the first session secret or the second session secret. 
 
     
     
       5. The computer-implemented method of  claim 1 , wherein communications between the IoT service and the IoT hub are over an encrypted channel. 
     
     
       6. The computer-implemented method of  claim 1 , wherein communications between the IoT device and the IoT hub are over an unencrypted channel. 
     
     
       7. The computer-implemented method of  claim 1 , wherein the key generation logic comprises a hardware security module (HSM). 
     
     
       8. The computer-implemented method of  claim 1 , wherein the IoT service comprises a first counter which is incremented each time a data packet is transmitted from the IoT service to the IoT device. 
     
     
       9. The computer-implemented method of  claim 8 , wherein the IoT device comprises a second counter which is incremented each time a data packet is transmitted from the IoT device to the IoT service. 
     
     
       10. The computer-implemented method of  claim 5 , wherein the encrypted channel between the IoT service and the IoT hub is created using elliptic curve digital signature algorithm (ECDSA) certificates.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.